Pwn2Own 2010: Browsers and iPhone Get Pwned!
By TechHeadPublished: March 26, 2010
The TippingPoint Zero Day Initiative (ZDI) held it’s annual Pwn2Own contest at the CanSecWest security conference held in Vancouver, BC on March 24th, 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This was the fourth year this contest was held and the total cash prize amounted to $100,000. The competition had two main technology targets, the first one being security posture of market-leading web browsers and operating system pairings; and the second target being vulnerabilities affecting mobile phones.
Target One: Browsers
The multifaceted web browser continues to occupy a critical presence on the client-side attack surface. As Adobe, Google, and an estimated 30 other companies affected in the Aurora incident can attest to, the security posture of these products merits a yearly public evaluation by the research community at large. $40,000 of the total $100,000 cash prize pool was allotted to the web browser portion of the contest, each target being worth $10,000. The browser targets used this year were the latest versions of Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer, Mozilla’s Firefox. After the first day of the event, all but Google Chrome had been successfully hacked.
Safari Gets
PWNED!
Charlie Miller, a principal security analyst at consulting form Independent Security Evaluators, remotely located a hole in the Safari browser of a MacBook Pro and launched a remote, “full-command” shell. This shell allowed him to run a set of commands and see all the files on the target’s MacBook. “There’s a reason for researchers like me t spend time looking for flaws,” said Miller. “We get something for winning, the company gets free research, and the end-user gets a batch to a critical bug. So in some sense, everybody wins there.” Miller expects to see a patch for the bug in the next month. He see’s a reason for concern as hacks to the Mac are becoming a regular event at the CanSecWest conference annually. “It’s the fourth year they’ve run the contest, and every year someone’s broken into Safari,” he said. “You begin to wonder if there’s some sort of underlying problem in what they’re doing, that in the four years they haven’t made it any harder. One of these years, nobody’s going to be able to do it. Since that hasn’t happened yet, hopefully they’ll get their act together and make a more secure product.” Miller won $10,000 and a MacBook of his own.
Microsoft’s Internet Explorer!
PWNED
Peter Vreugdenhil, an independent security researcher in the Netherlands, hacked Internet Explorer 8 on a Windows PC, passing through security features in the OS and data execution prevention code in Internet Explorer 8 to take over a Windows PC. Peter won $10,000 and the PC he pwned.
Mozilla’s Firefox
PWNED!
Nils, the head of research at UK-based MWR InfoSecurity, broke into a 64-bit Windows 7 PC by launching a “quintessential” CALC.EXE launching payload,” said TippingPoint’s Portnoy. Nils won $10,000 and a Sony Vaio as his prize.
Target Two: Mobile Phones
The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, email, and other client issues have been published in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of burgeoning field of security research. The data stored and communicated across these devices is increasing in value to attackers.
iPhone
PWNED!
Ralf Philipp Weinmann of the University of Luxembourg and Vincenzo Iozzo of German company Zynamics were able to grab key data in an iPhone, according to Portnoy. “The researchers used a vulnerability in Safari that pulled the SMS database,” he explained. Data included deleted messages, contacts, pictures, and iTunes music files. The joint hackers shared a $15,000 prize, and each took ownership of an iPhone.
What Does All This Mean?
“As a whole, most people seem to understand basic security, but there are still some gaping holes in today’s most popular hardware and software computing platforms,” Aaron Portnoy, security research team lead for TippingPoint said. “The goal of this contest is to demonstrate how vulnerable these devices really are.” The results of the contest will be reported to the manufacturers so they can create the appropriate patches, according to Portnoy. “Until then, we cannot discuss the details of the vulnerabilities [with] the public,” he said. “This is to help keep the vulnerabilities from being exploited before they can be patched.”
So what do you think of the results of the Pwn2Own contest? Do you still feel your data is safe?
One of the things to keep in mind is how the iPad is near launch and it shares the same OS as the iPhone. If the iPhone can be hacked so quickly using an exploit with Safari, how safe exactly is the iPad? Don’t forget that Zobny’s survey results showed us that many iPad customers plan on using the iPad to “work on the go.” How safe would your private business data be if that was the case? That’s what the whole purpose of the contest is for so hopefully the big companies can get their act together and secure their hardware/software better.
Originally Posted by Thomas Jefferson
Reply With Quote
NOT!
at my feet
Bookmarks